Menu
What's new
By:
Filters Better Search

Router behind router - how to prevent second router clients from accessing first router clients

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

If you can load an OS which supports ACLs you can control your data streams. I have not read this thread just the title. On the second router add an ACL or more than one to only deny router2 clients to router1 local LAN. Use a /29 bit mask and do not use the first 6 IP addresses of the router1's local network since they are not denied. Start the IP address for the allow 192.168.xxx.1 255.255.255.248. You are going to block all others on the local LAN. You need to make sure router2's WAN IP address is 2 - 5 on router's 1 network so it is not denied. If there are exceptions then add more ACLs.
 
Last edited:
OK It's best if we just wait until you have a chance to confirm the settings and check the iptables rule from the command line.

bobby said:
I filled in the Network Services Filter Settings as follows (router 2):

source IP ->empty
Port Range ->empty
Destination IP ->192.168.1.*
Port range -> empty
Protocol (TCP/UDP) -> both
Click to expand...
Those rules look correct. In my previous example I used a destination of 192.168.0.1 because that's how my router is set up. Sorry if that caused any confusion.

Is Router 1 perhaps forwarding this traffic, and not router 2? Am I making a gigantic error?
Or is it really a bug in the firmware?
Click to expand...
Any traffic destined for router 1 should be dropped before it leaves router 2. So router 1 shouldn't have anything to do with it.
 
Thank you @ColinTaylor ! I had considered using the 3-router setup described in another thread to achieve this because of VLANs not readily accessible from GUI. But this may suffice.

Going a step further, is there a way to allow private resources on the first router/network to be accessed from the second router/network, like printer / scanner, while maintaining the client separation?
 
Hi @Wisiwyg

I can't see a way of doing it in the GUI. You'd have to install a firmware (like Merlin's) that allows custom scripts and then craft some iptables rules.

Even then it would be fairly horrible to maintain. The devices attached to router 1 would have to be given fixed IP's and then you would have to hard-code those IP's into the iptables rules on router 2. Yuck. :eek:
 
Thank you for the reply @ColinTaylor . Yes, yuck! I'll probably end up dedicating a separate printer for the 2nd router.
 
Dear Collin,

I just followed your advice. Here is what happened:

I entered the Network Services Filter Settings as follows:
source IP ->empty
Port Range ->empty
Destination IP ->192.168.1.0/24
Port range -> empty
Protocol (TCP/UDP) -> both

For clarity sake: router 1 is in the range 192.168.1.* and router 2 is on the range 192.168.0.*

After entering the filter settings on router 2, I rebooted the device, just in case.

Unfortunately, I was still able to open a web page on a device on router 1 (192.168.1.127) from router 2 (wifi connected tablet on 192.168.0.141)!

Here is the chain forward through SSH:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9730 881K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- br0 eth0 0.0.0.0/0 192.168.1.0/24 tcp flags:0x3F/0x3F
0 0 DROP udp -- br0 eth0 0.0.0.0/0 192.168.1.0/24
1670 107K ACCEPT all -- br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0

It looks very similar to the table you showed. What could be wrong?
 
@ColinTaylor

You are right! Thanks a MILLION!

Here is the correct chain forward for whoever wants to do this as well:

Code: 
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
1742  112K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    2   376 DROP       all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state INVALID
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 DROP       udp  --  br0    eth0    0.0.0.0/0            192.168.1.0/24
   83  4980 DROP       tcp  --  br0    eth0    0.0.0.0/0            192.168.1.0/24
  352 23475 ACCEPT     all  --  br0    eth0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate DNAT
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

It now correctly shows the dropped packets as it is supposed to do.:)
 
bobby said:
Is Router 1 perhaps forwarding this traffic, and not router 2? Am I making a gigantic error?
Click to expand...

if you are using a router behind another router you have to forward twice for devices connected behind the second router and its quite complex

see this link for an explanation

Double Router Forwarding
http://portforward.com/help/doublerouterportforwarding.htm

ignore the detector just read the rest of the info as it explains whats got to happen in this situation

the link was easier than typing it all from scratch

pete
 
My set up has been working for the last 9 months.

Now there is a change in requirement:

I would like to give access to a printer and NAS which are located under Router 1, to the clients under router 2.

My first thought was that I could just change the Network Services Filter Settings as follows:

Printer on Router 1 on 192.168.1.124
NAS on Router 1 192.168.1.125
So I decided to open 124-127 to allow for future devices to be visible as well.

So the filter would be set to blacklist
range 192.168.1.0-123 (in the CIDR form, these are 5 entries)
range 192.168.1.128-255 (in the CIDR form of 192.168.1.128/25)
(both UDP and TCP)

instead of 192.168.1.0-192.168.1.255 (192.168.1.0/24)

Unfortunately, this does not work at all.

Why would this not work??

Any suggestions?
 
Going allll the way back to the beginning, here is an easy way to isolate a secondary router and its clients. No filters, no static routes, no firewall rules.

Router 1 MAIN Network Router:
WAN Address: ISP provided address
WAN Network: ISP provided
WAN Subnet: ISP provided
LAN Address: 192.168.1.1
LAN Network: 192.168.0
LAN Subnet: 255.255.255.0
DHCP server DNS: Whatever you use (either ISP provided or user-specified DNS servers or 192.168.1.1)

Router 2 IoT (or guest) Isolated Network Router:
WAN Address: 192.168.1.2
WAN Network:192.168.1.0
WAN Subnet: 255.255.255.252 (This is the key element)
WAN Gateway: 192.168.1.1
WAN DNS: 192.168.1.1 only
LAN Address: 192.168.2.1
LAN Subnet: 255.255.255.0
DHCP Server DNS: 192.168.2.1 only

The WAN subnetting on Router 2 stops the routing of 192.168.2.xxx to anything but 192.168.1.1 on that subnet. The 255.255.255.252 subnet mask is limited to 4 total addresses, two of which are eaten up in administration. So this .252 subnet only allows traffic between 192.168.1.1 and 192.168.1.2 on the 192.168.1.0 subnet as far as Router 2 (and anything behind it) is concerned.

Here is link that describes this .252 network.

Examples:
Client MAIN1 (192.168.1.100) can ping google.com
Client MAIN1 (192.168.1.100) can ping LAN side of Router 1 (192.168.1.1)
Client MAIN1 (192.168.1.100) cannot ping WAN side of Router 2 (192.168.1.2)
Client MAIN1 (192.168.1.100) cannot ping LAN side of Router 2 (192.168.2.1)
Client MAIN1 (192.168.1.100) cannot ping Client IoT1 (192.168.2.100)

Client IoT1 (192.168.2.100) can ping google.com
Client IoT1 (192.168.2.100) can ping LAN side of Router 2 (192.168.2.1)
Client IoT1 (192.168.2.100) can ping WAN side of Router 2 (192.168.1.2)
Client IoT1 (192.168.2.100) can ping LAN side of Router 1 (192.168.1.1)
Client IoT1 (192.168.2.100) cannot ping Client MAIN1 (192.168.1.100)

Here is screenshot of the Router 2 WAN setup page:
asus_wan_router2.jpg
 
You must log in or register to reply here.

Similar threads

N
dedicated router for OpenVPN
Replies
4
Views
373
eibgrad
eibgrad
M
Blocking some devices to connect to the network or accessing the internet
Replies
1
Views
332
Justinh
J
SysXpl
New router for good price - Best firmware for stability, security and privacy?
Replies
4
Views
377
bbunge
bbunge
arx
Issues with Guest Networks on TUF-AX5400 AiMesh System
Replies
3
Views
665
arx
arx
J
VPN director Multiple OpenVPN clients
Replies
7
Views
467
eibgrad
eibgrad
Similar threads
Thread starter Title Forum Replies Date
Mohammad Wahiduzzaman Using Asus Router behind Provider 5g modem+router ASUS Wi-Fi 11
I Some wireless devices are unreachable from clients but are reachable from the router itself ASUS Wi-Fi 2
J New router: AX or BE if long time support (maintenance, FW updates, etc.) wanted? ASUS Wi-Fi 4
SysXpl New router for good price - Best firmware for stability, security and privacy? ASUS Wi-Fi 4
N Asus Router Security Discussion ASUS Wi-Fi 8
E Instant Guard on macOS : cannot delete old router ASUS Wi-Fi 4
R WiFi 6 router optimization guide ASUS Wi-Fi 22
R AiMesh or repeater mode with an WiFi 6 (main) and WiFi 5 (secondary) router for extra WiFi coverage? ASUS Wi-Fi 8
N ASUs router per device whitelist ASUS Wi-Fi 0
S Need SSH-customizable security-oriented router with strong firmware, drivers, and kernel support ASUS Wi-Fi 11

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 652 (members: 22, guests: 630)
Top